In various networks, entity authentication is typically required for one entity (referred to as the verifier) to verify the identity of another entity (referred to as the prover) before allowing access in order to prevent a security breach. For example, in the case of a sensor network, it is often necessary for a sensor node (verifier) configured to collect measurement data to verify a user requesting access to the sensor node through a server (prover) as a security measure. The user may be requesting access to retrieve various measurement data or to control/configure the sensor node. This is so that the sensor network is secure, without allowing any unauthorized user access to any sensor node in the sensor network.
Various entity authentication techniques exist in the art. For example, conventional two-factor authentication schemes would typically use the ‘what you know’ factor (such as passwords and secret keys) as the first factor, combined with an additional second factor which could be the ‘what you have’ (such as physical tokens, dedicated channels) or ‘what you are’ (such as biometrics) factors. However, all these schemes assumes the verifier as a computationally powerful machine, which render them non-applicable for networks with resource-constrained devices such as sensor nodes, SCADA Remote Terminal Units (RTUs), implant medical devices and other Internet of Things (IoT) devices. For example, U.S. Pat. No. 8,812,864 B2 uses biometrics (the ‘what you are’ factor) as the second factor, and the requirements in computation power, memory and storage on the verifier are overwhelmingly demanding for typical embedded devices. U.S. Pat. No. 8,214,888 B2 uses a USB token (the ‘what you have’ factor) as the second factor, which besides the problem of high resource demand on the verifier, is also not resilient to sensor node compromise or token compromise. U.S. Pat. No. 8,793,490 B1 uses two different channels to achieve authentication. However, this requirement may not be satisfied for sensor networks.
A need therefore exists to provide entity authentication in a network that seeks to overcome, or at least ameliorate, one or more of the deficiencies of conventional entity authentication techniques such as those mentioned above. It is against this background that the present invention has been developed.